Security Vulnerabilities - CVEs Published In March 2023
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 247606.
CVSS Score
4.3
EPSS Score
0.002
Published
2023-03-22
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an authenticated user to perform actions that they should not have access to due to improper authorization. IBM X-Force ID: 247630.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-03-22
A vulnerability in Trend Micro Endpoint Encryption Full Disk Encryption version 6.0.0.3204 and below could allow an attacker with physical access to an affected device to bypass Microsoft Windows� Secure Boot process in an attempt to execute other attacks to obtain access to the contents of the device.
An attacker must first obtain physical access to the target system in order to exploit this vulnerability. It is also important to note that the contents of the drive(s) encrypted with TMEE FDE would still be protected and would NOT be accessible by the attacker by exploitation of this vulnerability alone.
CVSS Score
6.8
EPSS Score
0.0
Published
2023-03-22
A remote Cross-site Scripting vulnerability was discovered in HPE Integrated Lights-Out 6 (iLO 6), Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4). HPE has provided software updates to resolve this vulnerability in HPE Integrated Lights-Out.
CVSS Score
8.3
EPSS Score
0.002
Published
2023-03-22
Potential security vulnerabilities have been identified in the HPE FlexFabric 5700 Switch Series. These vulnerabilities could be remotely exploited to allow host header injection and URL redirection. HPE has made the following software to resolve the vulnerability in HPE FlexFabric 5700 Switch Series version R2432P61 or later.
CVSS Score
5.3
EPSS Score
0.002
Published
2023-03-22
An authenticated remote code execution vulnerability
exists in the AOS-CX Network Analytics Engine. Successful
exploitation of this vulnerability results in the ability to
execute arbitrary code as a privileged user on the underlying
operating system, leading to a complete compromise of the
switch running AOS-CX.
CVSS Score
7.2
EPSS Score
0.017
Published
2023-03-22
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
CVSS Score
7.5
EPSS Score
0.0
Published
2023-03-22
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-03-22
TXOne StellarOne has an improper access control privilege escalation vulnerability in every version before V2.0.1160 that could allow a malicious, falsely authenticated user to escalate his privileges to administrator level. With these privileges, an attacker could perform actions they are not authorized to.
Please note: an attacker must first obtain a low-privileged authenticated user's profile on the target system in order to exploit this vulnerability.
CVSS Score
8.8
EPSS Score
0.006
Published
2023-03-22
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. A successful exploit allows an attacker to achieve total cluster compromise.
CVSS Score
9.8
EPSS Score
0.005
Published
2023-03-22